Last week, the Third Circuit revived a multi-district privacy lawsuit against Google, finding that the trial court erred in dismissing the plaintiffs’ privacy claims under California state law.  The case centers around the plaintiffs’ allegations that Google violated state and federal law by circumventing the Safari browser’s default “cookie blocker” settings to track users’ online activity while publicly professing to respect users’ Safari browser settings.  While the Third Circuit affirmed the trial court’s dismissal of federal claims under the Wiretap Act, the Stored Communications Act (SCA), and the Computer Fraud and Abuse Act (CFAA), the court vacated the district court’s dismissal of the plaintiffs’ claims under California tort law and the California constitution’s right to privacy.

The plaintiffs’ claims originated from a 2012 Wall Street Journal article describing a researcher’s findings that Google, despite the Safari browser’s default settings intended to blocking tracking cookies, had utilized methods to circumvent these settings and track Safari users’ Internet browsing habits via tracking cookies.  At the same time, the plaintiffs alleged, Google made a series of public statements, including statements within its privacy policy, indicating that it respected the Safari browser’s cookie-blocking settings.  Google subsequently entered into settlements with the Department of Justice and a consortium of state attorneys general over its practices.  Twenty-four plaintiffs also filed putative class action suits against Google and third-party advertisers, alleging violations of federal and state privacy law.  The suits were combined into the instant litigation in the District of Delaware, and in October 2013, the district court dismissed the complaint in its entirety, finding that the plaintiffs failed to state a claim.

The Third Circuit first determined that the plaintiffs had standing under Article III to pursue their claims.  The court held that the plaintiffs alleged “concrete, particularized, and actual” injuries sufficient to grant Article III standing based on the complaint’s allegations that the defendants “implanted tracking cookies on their personal computers.”  Beyond noting that Google’s argument requiring “actual monetary loss” to bring a federal lawsuit reads Article III jurisprudence too narrowly, the court’s analysis of the standing issue was limited.  To the extent the opinion suggested that Article III standing can arise solely from allegations that a statutorily-created legal right was violated, this proposition may soon be addressed by the Supreme Court in the pending Spokeo appeal.

Having resolved the standing issue, the court turned to the plaintiffs’ Wiretap Act claim, concluding that the allegations at issue did not describe a scenario where Google had intercepted communications between two other parties.  Instead, the court determined that the complaint described a scenario where the plaintiffs’ browsers, upon visiting a website, sent direct requests to the defendants “in the ordinary course” of requesting advertising content at the direction of the visited website.  Despite the plaintiffs’ claims that Google’s methods of obtaining this content were fraudulent or deceitful, the court noted that “just because a scenario sounds in fraud or deceit does not mean it sounds in wiretapping,” relying on prior cases dismissing wiretapping claims where a recipient of a telephone call imitated a third party.  The plaintiffs also argued that the “intended recipient” exception is inapplicable where the interception is made “for the purpose of committing any criminal or tortious act” in violation of state or federal law, but the court noted that a secondary act, not the interception itself, must be criminal or tortious.  As the plaintiffs had only pleaded criminal or tortious interception, not criminal or tortious use of the intercepted content, the court affirmed the dismissal of the Wiretap Act claim.

Turning to the Stored Communications Act, the court agreed with the Fifth, Ninth, and Eleventh Circuits that an end user’s home computer does not qualify as a “facility through which electronic communication service is provided,” as required under the SCA.  The court also affirmed the dismissal of the plaintiffs’ CFAA claims, noting that the plaintiffs had not pleaded “damage or loss,” within the meaning of the statute, as a result of the defendants’ actions.  The plaintiffs argued that the defendants’ unauthorized access to their personal information diminished its value, but the court noted that the complaint did not sufficiently allege that the plaintiffs ever intended to monetize their personal information, or that the defendants’ actions prevented them from doing so.  Taken together, the Third Circuit’s affirmance of the District Court’s rulings on federal law issues supports important defenses for companies facing federal privacy law claims.

However, the Third Circuit rejected several of the District Court’s holdings on California constitutional and state law issues, vacating the dismissal of several claims and reviving a small portion of the plaintiffs’ complaint.  Due to the similarity between the required elements, the court’s opinion addressed the claims for violations of the California constitution’s right to privacy and intrusion upon seclusion together.  To demonstrate a violation of the right to privacy under the California constitution, a plaintiff must plead the existence of a legally protected privacy interest, reasonable expectations of privacy of the part of the plaintiff, and an intrusion that constitutes an “egregious breach of social norms.”  An intrusion upon seclusion, on the other hand, requires an intentional intrusion that is “highly offensive to a reasonable person” into a place where the plaintiff has a reasonable expectation of privacy.  The District Court had dismissed both claims, holding that the plaintiffs’ allegations did not rise to a “highly offensive” or “egregious” levels.

The Third Circuit disagreed, focusing closely on “how Google accomplished its tracking” instead of the information that Google gained as a result.  The opinion noted that Google was “overriding the plaintiffs’ cookie blockers, while concurrently announcing in its Privacy Policy that internet users could ‘reset your browsers to refuse all cookies.’”  According to the Third Circuit, even a sophisticated internet user who knew that his or her information was being sent to Google would reasonably expect that a cookie blocker would prevent tracking of his or her activity.  The ability to use a cookie blocker to prevent advertisers’ use of tracking cookies, therefore, represents a “reasonable expectation” of privacy on the part of the plaintiffs.  Turning to the seriousness of the violation, the court emphasized that Google not only circumvented Safari’s cookie blocking settings, but simultaneously held itself out as respecting them.  According to the court, irrespective of whether “data-based targeting is the internet’s pole star, users are entitled to deny consent, and they are entitled to rely on the public promises of the companies that they deal with.”  Since Google’s conduct was not only “surreptitious,” but also affected “millions of internet users,” the Third Circuit held that a reasonable jury could conclude that Google’s conduct was “highly offensive” or “egregious” and vacated the dismissal of these state law claims.

The state law portions of the Third Circuit’s opinion underscore the importance of ensuring that a company’s privacy policies and other public statements line up with actual practices.  While an intrusion upon an individual’s privacy is not enough, in and of itself, to state a violation of California privacy law, an intrusion combined with inconsistent or deceptive public statements can lead to a different conclusion.

Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Caleb Skeath Caleb Skeath

Caleb Skeath advises clients on a broad range of cybersecurity and privacy issues, including cybersecurity incident response, cybersecurity and privacy compliance obligations, internal investigations, regulatory inquiries, and defending against class-action litigation. Caleb holds a Certified Information Systems Security Professional (CISSP) certification.

Caleb specializes…

Caleb Skeath advises clients on a broad range of cybersecurity and privacy issues, including cybersecurity incident response, cybersecurity and privacy compliance obligations, internal investigations, regulatory inquiries, and defending against class-action litigation. Caleb holds a Certified Information Systems Security Professional (CISSP) certification.

Caleb specializes in assisting clients in responding to a wide variety of cybersecurity incidents, ranging from advanced persistent threats to theft or misuse of personal information or attacks utilizing destructive malware. Such assistance may include protecting the response to, and investigation of an incident under the attorney-client privilege, supervising response or investigation activities and interfacing with IT or information security personnel, and advising on engagement with internal stakeholders, vendors, and other third parties to maximize privilege protections, including the negotiation of appropriate contractual terms. Caleb has also advised numerous clients on assessing post-incident notification obligations under applicable state and federal law, developing communications strategies for internal and external stakeholders, and assessing and protecting against potential litigation or regulatory risk following an incident. In addition, he has advised several clients on responding to post-incident regulatory inquiries, including inquiries from the Federal Trade Commission and state Attorneys General.

In addition to advising clients following cybersecurity incidents, Caleb also assists clients with pre-incident cybersecurity compliance and preparation activities. He reviews and drafts cybersecurity policies and procedures on behalf of clients, including drafting incident response plans and advising on training and tabletop exercises for such plans. Caleb also routinely advises clients on compliance with cybersecurity guidance and best practices, including “reasonable” security practices.

Caleb also maintains an active privacy practice, focusing on advising technology, education, financial, and other clients on compliance with generally applicable and sector-specific federal and state privacy laws, including FERPA, FCRA, GLBA, TCPA, and COPPA. He has assisted clients in drafting and reviewing privacy policies and terms of service, designing products and services to comply with applicable privacy laws while maximizing utility and user experience, and drafting and reviewing contracts or other agreements for potential privacy issues.